a7y18lte-ubports/android_kernel_samsung_universal7885
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
34a55c9d4a
android_kernel_samsung_univ.../arch
History
Paolo Bonzini 816307c80d KVM: x86: fix emulation of "MOV SS, null selector" 
commit 33ab91103b3415e12457e3104f0e4517ce12d0f3 upstream.

This is CVE-2017-2583.  On Intel this causes a failed vmentry because
SS's type is neither 3 nor 7 (even though the manual says this check is
only done for usable SS, and the dmesg splat says that SS is unusable!).
On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.

The fix fabricates a data segment descriptor when SS is set to a null
selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
this in turn ensures CPL < 3 because RPL must be equal to CPL.

Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
the bug and deciphering the manuals.

Reported-by: Xiaohan Zhang <zhangxiaohan1@huawei.com>
Fixes: 79d5b4c3cd
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-01-19 20:17:19 +01:00
..
alpha alpha: fix copy_from_user() 2016-09-24 10:07:45 +02:00
arc ARC: mm: arc700: Don't assume 2 colours for aliasing VIPT dcache 2017-01-09 08:07:48 +01:00
arm ARM: OMAP4+: Fix bad fallthrough for cpuidle 2017-01-15 13:41:36 +01:00
arm64 crypto: arm64/aes-ce - fix for big endian 2017-01-12 11:22:50 +01:00
avr32 avr32: off by one in at32_init_pio() 2016-10-07 15:23:45 +02:00
blackfin net: smc91x: fix SMC accesses 2016-09-30 10:18:37 +02:00
c6x
cris cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected 2017-01-12 11:22:48 +01:00
frv frv: fix clear_user() 2016-09-24 10:07:44 +02:00
h8300 h8300: fix syscall restarting 2016-11-10 16:36:32 +01:00
hexagon hexagon: fix strncpy_from_user() error return 2016-09-24 10:07:44 +02:00
ia64 ia64: copy_from_user() should zero the destination on access_ok() failure 2016-09-24 10:07:46 +02:00
m32r m32r: fix __get_user() 2016-09-24 10:07:43 +02:00
m68k m68k: Fix ndelay() macro 2016-12-15 08:49:23 -08:00
metag metag: Only define atomic_dec_if_positive conditionally 2016-10-28 03:01:31 -04:00
microblaze microblaze: fix copy_from_user() 2016-09-24 10:07:43 +02:00
mips KVM: MIPS: Flush KVM entry code from icache globally 2017-01-12 11:22:43 +01:00
mn10300 mn10300: copy_from_user() should zero on access_ok() failure... 2016-09-24 10:07:45 +02:00
nios2 nios2: copy_from_user() should zero the tail of destination 2016-09-24 10:07:45 +02:00
openrisc openrisc: fix the fix of copy_from_user() 2016-09-24 10:07:46 +02:00
parisc parisc: Fix TLB related boot crash on SMP machines 2016-12-15 08:49:22 -08:00
powerpc powerpc: Fix build warning on 32-bit PPC 2017-01-15 13:41:36 +01:00
s390 s390/crypto: unlock on error in prng_tdes_read() 2017-01-12 11:22:49 +01:00
score score: fix copy_from_user() and friends 2016-09-24 10:07:44 +02:00
sh sh: fix copy_from_user() 2016-09-24 10:07:44 +02:00
sparc sparc64: fix compile warning section mismatch in find_node() 2016-12-10 19:07:25 +01:00
tile tile: avoid using clocksource_cyc2ns with absolute cycle count 2016-12-02 09:09:01 +01:00
um um: Don't discard .text.exit section 2016-09-07 08:32:38 +02:00
unicore32
x86 KVM: x86: fix emulation of "MOV SS, null selector" 2017-01-19 20:17:19 +01:00
xtensa
.gitignore
Kconfig